Opinions are like a%$*oles, everyone has them and they're usually full of &amp;*it! Argue with our Opinion writers or add your own. Who knows... a great opinion post could land you a featured opinion article!

If you go to school or went to school, you probably have been called hacker(in a bad way), and if anything goes wrong, they look at you.It happens all the time, if someones computer doesn't shutdown, they get error, wireless doesn't work, get virus, and list goes on.

I understand the typical world thinking, that hackers are evil, and anything wrong MUST be their fault. One thing I've learned is to lay low. (Meaning, not necessarily avoid public awareness of me, etc, but not to make it 'obvious') I still let the folks running things know who I was, and even offered to let them monitor my activity, if I even thought I might be touching something that bordered on unacceptable use. I still do, today. The key is to make sure that the people to whom this truly matters (the school administrators, the IT staff, etc) are aware of who you are, and what you're doing, especially if you're already labeled a hacker or a problem, and you want to change that perception, in their view.

Mind you, as you read on, I'm not assuming you have or haven't done anything that I mention, just that this is how you SHOULD be doing things -

If you're working or doing security 'learning' on systems at your school, then you should have full approval from those in authority, to be doing ANYTHING on them. These systems don't belong to you. That being said, the authoritative folks generally wouldn't be allowing you to do anything 'risky' on public systems, unless it was specifically spelled out as some sort of classroom exercise, where they had full control, and could reimage / rebuild at will, at the conclusion of the exercise. If it's not specifically setup for a class, etc, they'd typically set you up on lab machines, or something, on an isolated (keyword = isolated) network. This is, again, assuming that they give you ANY permission to do ANYTHING on their machines and network, other than the normal browsing and school work.

Thus, IF odd things are occurring on machines around you in a 'production' or frequently used REAL environment, then it should be well understood by them, and handled accordingly, that you have not been doing any of the testing on said network or machines, and that your activities are not malicious or troublesome, any more than the next person's. When I administered the network at the school district that I used to be IT Director for, I had proxies (with NO way around them,) and logged EVERYTHING that went in and out of my publicly accessible computers in the buildings. If I saw an IP that looked off, I checked it, etc., especially for any students or staff whom I had ANY question about. We had very clearly spelled out 'Acceptable Use policies' and it was very well known that we'd monitor what you're doing, what sites you're hitting, etc. If you're at a level where you're bypassing these proxies (assuming they have them in place,) then you're possibly a little further ahead in your security learning then you're letting on, in your initial posts.

The idea here is that, if you're being ethical, you MUST get approval for anything you're doing at school, and if you have that approval, and the administrators KNOW when you are doing what you're supposed to be doing, there shouldn't be any issues. It's a trust factor. If they don't trust you, then they won't even give you a LAB to play with, or any outside opportunity. And if that's the case, you shouldn't use the school machines for ANY purpose related to hacking (ethical or not,) and save it for home.

If you're having issues, and being labeled a hacker (malicious or not,) then my suggestion would be to open a very clear discussion with the administrators at your school, and communicate what you will and won't do, what they'll allow you to do or not, and to make sure everything's clearly understood. If that's in place, and you've correctly covered your backside, then I wouldn't worry about labels, and do what you're supposed / allowed to do.

HTH.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

I usually start mumbling something very quietly and make my eye twitch. They leave me alone.

Honestly, most people will fear what they don't know. They understand that you know more than they do about security, and that scares them. It's natural. It usually doesn't take more than 10 to 15 minutest to explain the process of something like pen-testing and how it is different from being a "bad guy."

I tell the person to look up pentesting and ethical hacking on google, but i don't expect them to do it. I also help the person in some way, they don't annoying a lot then. if they keep being ass, you can always find few emails, phone numbers and pictures, and make a webpage.

I blame media, you hardly ever hear about people who have help stop the bad guys. Lots of movie and TV shows portrayal hackers as people who break into government computers or banks and stealing money, secrets, and data.

I would agree with your 'specific' statement that, "people only know what you tell them." The key word is know. But they will 'guess' at the rest. As is commonly said, "Nature abhors a vacuum." As I've been known to say in simpler terms, "In the absence of the facts, people will fill in the blanks with something. Unfortunately that something is usually not accurate and not positive."

So, although I know it was in jest, I would have to disagree with leaving them guessing. I've seen too many cases where people even got fired for this attitude. Communicate with them during the User Awareness Training, during help desk calls, during project planning... any way you can think of to let them know that it is totally ridiculous to think that IT/Security staff is to blame. Our jobs are there to keep things going, not to tear them down.

Inner voice: Deep breath, Don.Don: Sorry. I get a little worked up.Inner voice: That's OK. Better to do it here, then in the workplace.

Agreed with don, and this goes back to my earlier post. As far as general user population, they'll likely NEVER fully understand / care, etc. But for admins and folks to whom this should truly matter, you should always have things very clearly spelled out for them, so as to minimize confusion, and standardize how / when / where you are doing ANYTHING out of the accepted norm, so as to avoid being blamed for issues that may arise, outside of your 'practice.'

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

don wrote:So, although I know it was in jest, I would have to disagree with leaving them guessing. I've seen too many cases where people even got fired for this attitude. Communicate with them during the User Awareness Training, during help desk calls, during project planning... any way you can think of to let them know that it is totally ridiculous to think that IT/Security staff is to blame.

sometimes that doesn't work. I've explained how the firewall works more times than I can count. Until I've been blue in the face. They'll understand it for about a week, but the following week they'll turn around and ask the, site is giving me a 500 error, is the firewall blocking it? or the I can't to another server on the internal network, is the firewall blocking it?

Yes telling them is better than not telling them, but they have to want to know and remember, not just be at the training because they have to be, and forget what they were told when they stop pretending to care.

1) Don't flex your security skills. If you want to use it for good use it appropriately.

2) Tell people about what you know in a comfortable social setting. I usually do it when I feel they are ready to know and I am building rapport with them. In those times they usually go "Wow!" (only if not to offend me maybe lol).

3) I try not to be a nazi paranoid schitzo security dude at work. If I see something as insecure I may make a suggestion to fix it but I won't go in and just tell people that its bad.

Basically it all comes down to this, you want your friends, colleagues, school mates etc on your side. It makes your entire life easier, they understand your better, their information technology risk decreases and everyone benefits from your expertise and mutual co-operation.

don wrote:I would agree with your 'specific' statement that, "people only know what you tell them." The key word is know. But they will 'guess' at the rest. As is commonly said, "Nature abhors a vacuum." As I've been known to say in simpler terms, "In the absence of the facts, people will fill in the blanks with something. Unfortunately that something is usually not accurate and not positive."

So, although I know it was in jest, I would have to disagree with leaving them guessing. I've seen too many cases where people even got fired for this attitude. Communicate with them during the User Awareness Training, during help desk calls, during project planning... any way you can think of to let them know that it is totally ridiculous to think that IT/Security staff is to blame. Our jobs are there to keep things going, not to tear them down.

Inner voice: Deep breath, Don.Don: Sorry. I get a little worked up.Inner voice: That's OK. Better to do it here, then in the workplace.

Hope that helps,Don

i see your point, and i totally agree with you in that situation. especially within organizations communication is key! there is nothing more important to communicate with management about situations that have occured, how they happened, and how they have been solved (and why we need more budget ). its good people know your skills and even more important, you know them yourself! always be honest about your knowledge and dont sell bs, cause karma will come back and bite you!

however, the situation the topic starter described is he's being called a hacker by friends/other people (in school, so none of the above applies). as long as you know they are "no member of the club" its fun to play around with them a little bit. some friends of mine dont know anything about computers, but i just like to have some fun with them just to boost my ego a little bit. so at this point i like them to keep guessing

CISSP, CEH, ECSA, OSCP, OSWP, eCPPT, eWAPT

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

Roll my eyes and laugh it off. What's the most absurd thing you've been accused of? I was performing an IT Audit, doing a policy review at the moment, and a 100MB WAN connection went down. Guess who they suspected? It turned out their ISP accidentally disconnected the wrong circuit, and it remained down for 2-3 hours. *whoops*